I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

to researchers who identified two new bugs in the Microsoft Windows XP Universal Serial Bus [USB] driver.

SPI Dynamics security engineers David Dewey and Darrin Barrall at last week's Black Hat security conference discussing two USB driver bugs that could easily lead to daunting security compromise. In "Plug and Root, the USB Key to the Kingdom," they showed how easy it is to transform a common USB storage device into what is essentially a hardware-based Trojan.

While physical proximity to a machine could lead to easy compromise, Dewey said physical compromise is usually risky and visible. A USB-based Trojan, however, can allow for full data compromise with less than 10 seconds of physical access. Citing the example of a retail point-of-sale terminal with a USB port on the monitor, a malicious attacker can discretely plug in the USB device, wait 10 seconds while a monitoring program downloads and then leave the scene. Subsequently, after a time period of a week or so has elapsed, the USB device is plugged back in and the recorded transaction and credit card information is pulled off the terminal for "two, 10-second attacks that no one ever saw."

Another example cited is to simply put out a fishbowl of free USB devices that look like thumb-drive freebies at a conference, or typical "marketing swag," as a way to effectively distribute a rootkit that sends information back to the malicious attacker. Dewey stated "someone walks by, picks this up and they root themselves" -- alluding to having the device "phone home" and transport information after a USB device is inserted into a victim's PC.

Dewey stated this was only a few of many simple ways a malicious individual could leverage USB devices to his benefit with the "Walk-Up-and-Own, attack vector."

While this type of attack can only occur with Windows AutoRun functionality, and only works on non-removable devices, Dewey showed how to make a USB device look non-removable via in-system programming typically used to update USB device firmware. Dewey suggests countering USB-based attacks by disabling Windows XP AutoRun functionality.

Subsequently, Darrin Barrall presented the hardware "Meta-USB" device, which the team constructed as a tool to attack an OS kernel. The so-called meta-USB device can emulate other USB devices that have device drivers that are typically written with, and assumed to be trusted by, the operating system.

While the Meta-USB device is constructed so it can look like any USB device supported by the Windows operating system, Dewey stated these issues are not specific to Windows. "We'll be able to target some Windows specific drivers that are by default installed, [on Windows] 2000 and later, and we will target those. This same device that we have, however, is USB 2.0 compliant and can be tested against Linux, OS X, whatever you want."

An anonymous source close to the issue said that what was shown was only the tip of the iceberg and that a device like the Meta-USB could be used to "own the box" with much more ease that the presenters described.

Victor R. Garza is a technology/security consultant and lecturer at the Naval Postgraduate School in Monterey, Calif.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy